Varnish · Varnish Cache · CVE-2025-47905
Name of the Vulnerable Software and Affected Versions:
Varnish Cache versions 7.6.3 and earlier, 7.7.0
Varnish Enterprise versions 6.0.13r13 and earlier
Description:
The issue allows client-side desync via HTTP/1 requests. This occurs because the product incorrectly permits CRLF to be skipped to delimit chunk boundaries.
Recommendations:
For Varnish Cache versions 7.6.3 and earlier, update to version 7.6.3 or later.
For Varnish Cache version 7.7.0, update to version 7.7.1 or later.
For Varnish Enterprise versions 6.0.13r13 and earlier, update to version 6.0.13r14 or later.